HowTo Set Up Certificate Based VPNs with Check Point Appliances - R77 edition

Preface

Securing virtual private networks (VPNs) in enterprise Site-to-Site environments is an important task for keeping the trusted network and data protected. Also it's critical to avoid any loss of data sovereignty.

When it comes to VPN security many security experts first think of encryption algorithms, perfect forward secrecy (PFS), Diffie-Hellman groups... and a long pre-shared key (PSK). Ouch!

What about VPN certificates?

Every security expert knows how much better certificates are for gaining high security levels. Therefore certificates are always best practice in enterprise grade security environments.

However, most VPN Site-to-site setups are still based on simple, long lasting pre-shared keys. In many cases these keys were even forgotten by the administrators in charge of keeping the network secure because once configured for the VPN tunnel they are not needed anymore.

This is because it's much quicker and really easy to set up a VPN with a simple pre-shared key than having to deal with certificates and a certificate authority (CA).

When working with VPN tunnels between Check Point gateways there is absolutely no reason not to use VPN certificates.

Setup:

Management : Check Point SmartCenter

Gateway : Check Point Firewall & VPN

Remote Office : Check Point 1100 Appliance

Centrally managed

Check Point is well-known for its superior security management solution to which all Check Point gateways are connected. This central management approach makes it so easy to deploy security settings to all connected gateways with a single click on policy installation.

Check Point's security management is called SmartCenter Server (or Multi-Domain Security Management) and has an internal certificate authority built-in. This InternalCA enables the global use of certificates between all connected components and gateways right out-of-the-box.

Check Point automatically generates certificates when a new Check Point object is created, so you don't have to take of certificate handling. Check Point does it all for you.

Establishing a certificate based VPN in centrally managed Check Point environments is as easy as 1-2-3.

First, create a VPN community for certificate based VPNs (Mesh or Star topology)

Please note that you can either configure the VPN topology in wizard mode when creating a new Check Point object or in classic mode when the gateway object is already existing. Depending on where you configure it your graphics might look a bit different to the screen shots used here.

Verify your VPN certificate and IPsec VPN community.

After you have configured the VPN topology for your VPN gateways you should add them to your VPN community.

Add your VPN gateways to your VPN community.

Finally, install the security policy.

The certificate based VPN tunnel is now up an working!

Externally managed

Other companies love Check Point, too! They have their own SmartCenter Server (or Multi-Domain Security Management) as central Check Point security management.

To configure a certificate based VPN tunnel with their VPN gateway you just need to exchange certificates!

Let's go!

Navigate to Manage > Servers and OPSEC Applications... > internal_ca > Edit... > Local Security Management Server > Save As... and export your CA certificate in order to send it to the firewall administrators of that other company. Tell them to send you theirs as well.

In case the Externally Managed VPN Gateway is a dynamically assigned IP address (DAIP) gateway make sure CRL checking works and the VPN tunnel is configured to be permanent. Check that your gateway can reach the CRL distribution points (check if DNS resolving is required), CRL retrieval via HTTP and CRL Caching is checked and enter the correct DN for their VPN certificate! (i.e. the DN of their defaultCert as shown under IPSec VPN of their Check Point Gateway object)

Locally managed

Using the same technique as described for externally managed Check Point gateways won't work as 600/1100 appliance don't have a SmartCenter server running. Still, these SMB appliances have their own local CA!

You'll then find our imported SMB certificate 'CP1100' next to our internal_ca within the Trusted CAs list of our Management.

Option B - Issue a certificate request

Go to VPN > Certificates > Installed Certificates and click New Signing Request to generate a new certificate.

Enter a Certificate name and Subject DN.

Export the Signing Request to a file

Copy the contents of the exported file

On the Management start the ICA Management Tool (sk39915), go to Certificate Creation and paste the certificate request into the PKCS#10 text box.

Create the signed certificate.

If required change the filename extension of the created certificate to .crt

On the SMB appliance Upload the Signed Certificate and Complete.

End of Option B

Now simply create an Externally Managed Check Point Gateway for our SMB appliance and your are all set up and done.

When configuring the Matching Criteria for our SMB appliance, check the DN box and paste the Subject of our SMB appliances Default Certificate if you took Option A.

In case of Option B first copy the DN of the created Certificate from within ICA Management Tool

then paste it into the DN field of the VPN certificate as issued by our internal_ca.

Install the security policy.

And check out the working VPN tunnel.

Danny Jung is passionate about VPN security and leads you through the joy of creating certificate based VPNs with Check Point appliances. Danny Jung is the Chief Technology Officer (CTO) at ESC and has been working with Check Point Firewalls for more than a decade.

Re: HowTo Set Up Certificate Based VPNs with Check Point Appliances - R77 edition

Danny this is a great article. I am looking to configure DAIP site to site with an external vendor with R80.10. Do you have a similar article I can copy of you. Can't find anything that tells you how to do this. Much appreciated